US11689501B2ActiveUtilityPatentIndex 47
Data transfer method and virtual switch
Assignee: HUAWEI CLOUD COMPUTING TECH CO LTDPriority: Dec 27, 2017Filed: Jun 24, 2020Granted: Jun 27, 2023
Est. expiryDec 27, 2037(~11.5 yrs left)· nominal 20-yr term from priority
H04L 63/0245H04L 45/586H04L 63/20H04L 69/22H04L 47/31H04L 63/166H04L 12/4625H04L 63/0227H04L 12/462H04L 45/74H04L 49/70H04L 63/08
47
PatentIndex Score
0
Cited by
23
References
20
Claims
Abstract
A data transfer method and a virtual switch, where when receiving a data packet, the virtual switch extracts characteristic information of the data packet, and determines, based on the extracted characteristic information of the data packet, whether an expedited forwarding rule is configured for a data stream to which the data packet belongs. If the expedited forwarding rule is configured for the data stream to which the data packet belongs, the virtual switch bypasses a LINUX bridge to directly send the data packet to a receive end, thereby reducing times of data packet switching between a kernel mode and a user mode, and improving data packet forwarding efficiency.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A data transfer method implemented by a virtual switch, wherein the data transfer method comprises:
receiving a first data packet;
determining, based on characteristic information, whether the first data packet is an Internet Protocol (IP) data packet or a non-IP data packet, wherein the virtual switch determines that the first data packet is the IP data packet when the first data packet has the characteristic information, and wherein the first data packet is the non-IP data packet when the first data packet does not have the characteristic information;
forwarding, in response to determining that the first data packet is the non-IP data packet, the first data packet to a security verification system;
extracting, in response to determining that the first data packet is the IP data packet, the characteristic information of the first data packet;
determining, based on the characteristic information, whether an expedited forwarding rule is configured for a data stream to which the first data packet belongs, wherein the expedited forwarding rule indicates that a second data packet in the data stream has previously been verified by the security verification system with a secure verification result; and
bypassing the security verification system to send the first data packet to a receive end when the expedited forwarding rule is configured for the data stream.
2. The data transfer method of claim 1 , further comprising forwarding the first data packet to the security verification system when the expedited forwarding rule is not configured for the data stream.
3. The data transfer method of claim 1 , wherein before extracting the characteristic information, the data transfer method further comprises:
determining whether security verification on the first data packet has been performed; and
extracting the characteristic information of the first data packet when the security verification on the first data packet has not been performed.
4. The data transfer method of claim 3 , wherein when the security verification on the first data packet has been performed, the data transfer method further comprises:
establishing, based on the characteristic information, the expedited forwarding rule for the data stream; and
sending the first data packet to the receive end.
5. The data transfer method of claim 1 , wherein the characteristic information comprises IP quintuplet information, wherein the IP quintuplet information comprises:
an IP address of a transmit end that sends the first data packet to the virtual switch;
an IP address of the receive end;
a port number of the transmit end;
a port number of the receive end; and
a transport layer protocol of the first data packet, and wherein the expedited forwarding rule comprises the IP quintuplet information.
6. The data transfer method of claim 1 , wherein the non-IP data packet comprises a fragmented packet.
7. The data transfer method of claim 1 , wherein the non-IP data packet comprises a traceroute packet.
8. The data transfer method of claim 1 , further comprising discarding the first data packet when the first data packet is forwarded to the security verification system and the security verification fails.
9. The data transfer method of claim 1 , further comprising forwarding the first data packet to the receive end when the first data packet is forwarded to the security verification system and the security verification succeeds.
10. The data transfer method of claim 1 , further comprising forwarding the first data packet to the security verification system for performing a security verification on the first data packet when the expedited forwarding rule is not configured for the data stream.
11. The data transfer method of claim 1 , wherein bypassing the security verification system comprises bypassing the security verification system to send the first data packet to the receive end without performing the security verification on the first data packet when the expedited forwarding rule is configured for the data stream.
12. A virtual switch comprising:
a memory configured to store execution instructions; and
a processor coupled to the memory, wherein the execution instructions cause the processor to be configured to:
receive a first data packet;
determine, based on characteristic information, whether the first data packet is an Internet Protocol (IP) data packet or a non-IP data packet, wherein the virtual switch determines that the first data packet is the IP data packet when the first data packet has the characteristic information, and wherein the first data packet is the non-IP data packet when the first data packet does not have the characteristic information;
forward, in response to determining that the first data packet is the non-IP data packet, the first data packet to a security verification system;
extract, in response to determining that the first data packet is the IP data packet, the extract characteristic information of the first data packet, wherein the characteristic information comprises IP quintuplet information, and wherein the IP quintuplet information comprises an IP address of a transmit end that sends the first data packet to the virtual switch, an IP address of a receive end, a port number of the transmit end, a port number of the receive end, and a transport layer protocol of the first data packet;
determine, based on the characteristic information, whether an expedited forwarding rule is configured for a data stream to which the first data packet belongs, wherein the expedited forwarding rule indicates that a second data packet in the data stream has previously been verified by the security verification system with a secure verification result, and wherein the expedited forwarding rule comprises the IP quintuplet information; and
bypass the security verification system to send the first data packet to the receive end when the expedited forwarding rule is configured for the data stream.
13. The virtual switch of claim 12 , wherein the execution instructions further cause the processor to be configured to forward the first data packet to the security verification system when the expedited forwarding rule is not configured for the data stream.
14. The virtual switch of claim 12 , wherein the execution instructions further cause the processor to be configured to:
determine whether security verification on the first data packet has been performed; and
extract the characteristic information of the first data packet when the security verification on the first data packet has not been performed.
15. The virtual switch of claim 14 , wherein when the security verification on the first data packet has been performed, the execution instructions further cause the processor to be configured to:
establish, based on the characteristic information, the expedited forwarding rule for the data stream; and
send the first data packet to the receive end.
16. A computer program product comprising computer-executable instructions for storage on a non-transitory computer-readable storage medium that, when executed by a processor, cause a virtual switch to:
receive a first data packet;
determine, based on characteristic information, whether the first data packet is an Internet Protocol (IP) data packet or a non-IP data packet, wherein the virtual switch determines that the first data packet is the IP data packet when the first data packet has the characteristic information, and wherein the first data packet is the non-IP data packet when the first data packet does not have the characteristic information;
forward, in response to determining that the first data packet is the non-IP data packet, the first data packet to a security verification system;
extract, in response to determining that the first data packet is the IP data packet, the extract characteristic information of the first data packet;
determine, based on the characteristic information, whether an expedited forwarding rule is configured for a data stream to which the first data packet belongs, wherein the expedited forwarding rule indicates that a second data packet in the data stream has previously been verified by the security verification system with a secure verification result; and
bypass the security verification system to send the first data packet to a receive end when the expedited forwarding rule is configured for the data stream.
17. The computer program product of claim 16 , wherein the computer-executable instructions further cause the virtual switch to forward the first data packet to the security verification system when the expedited forwarding rule is not configured for the data stream.
18. The computer program product of claim 16 , wherein before extracting the characteristic information, the computer-executable instructions further cause the virtual switch to:
determine whether security verification on the first data packet has been performed; and
extract the characteristic information of the first data packet when the security verification on the first data packet has not been performed.
19. The computer program product of claim 18 , wherein when the security verification on the first data packet has been performed, the computer-executable instructions further cause the virtual switch to:
establish, based on the characteristic information, the expedited forwarding rule for the data stream; and
send the first data packet to the receive end.
20. The computer program product of claim 16 , wherein the characteristic information comprises IP quintuplet information, wherein the IP quintuplet information comprises:
an IP address of a transmit end that sends the first data packet to the virtual switch;
an IP address of the receive end;
a port number of the transmit end;
a port number of the receive end; and
a transport layer protocol of the first data packet, and wherein the expedited forwarding rule comprises the IP quintuplet information.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.